Tuesday, July 19, 2005

Mandatory Greasemonkey Update

Yesterday, Mark Pilgrim discovered and announced a very serious security vulnerability in Greasemonkey. The flaw allows any website which matches at least one user script (even * scripts) to read any local file on your machine, or to list the contents of local directories. The flaw applies to Greasemonkey on all platforms.

I'm working feverishly on a fix for this. But this will take several days. In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely.

Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5.

I have heard no reports of this flaw being exploited, but now that it's public knowledge it isn't safe to continue using any version of Greasemonkey other than 0.3.5. Please either upgrade to 0.3.5 or disable Greasemonkey until I can get a fix finished.

I'm aware of how badly this sucks for many of you. Please accept my deepest personal apologies and realize that I'll do my best to get a fixed Greasemonkey available just as soon as possible.

Could you explain a bit more as to what happens.i.e. Does this happen on default or only cetain scripts that *leak* GM* API's? If so, how can we tell if a script leaks API's, and how do you prevent it?

The exploit can happen on any page where a greasemonkey script is enabled. If you have a global GM script, then ANY web site out there can exploit the flaw by accessing the GM object. If you have only site-specific GM scripts, then only those allowed sites can exploit the flaw. If you trust those sites, then you are probably safe.

Regarding which 0.4's -- interpret "early versions" as all versions which exist right now. The one you have is afflicted. Sorry for the confusing language :-). I meant early as in, not even betas -- earlier than beta -- stuff that was floating around the mailing list.

You can find out what version you have by going to tools > extensions. It's next to the Greasemonkey title.

As far as I can see, it's only the GM_xmlhttpRequest API that is dangerous, and frankly, I don't see why it needs to be present, nor am I aware of any user scripts that use it. The existing XMLHttpRequest is all the scripts should need, why provide another less secure version?

Anyway, the point is, can't you remove just this API, instead of all of them?

Looks like you're over-reacting. Is there any way to exploit the other APIs that has not been mentioned? Please provide some more details.

The GM_xmlhttpRequest API is very useful and I have used it for my scripts. It allows you to mix content from different sites. The regular xmlhttpRequest has a same-origin policy, which limits its utility significatly.

The usual xmlhttpRequest that's available is confined to requests on the same domain. GM_xmlhttpRequest allows requests to any domain, which allows cross-site integration and stuff like personal proxies and annotations. Think Google Search that you roll on your own there.

As for overreacting, not so. This is a very severe exploit. It was important that a version without the exploit be immediately available, and that it be distributed as widely as possible. Breaking scripts is a small thing compared to opening up local files.

Aaron's been working on a new version that fixes the exploit and keeps compatibility. Delaying a fix on this for even a day would have been negligent. 0.4 is coming soon, and we'll all be happier for it.

Curious, but are GM user scripts injected into a webpage any differently than bookmarklets?? Wser scripts and bookmarklets both seem to share a common trait of acting on a webpage's content but also being able to access functionality not available to the webpage. In the case of user scripts it's the GM_ functions, in the case of bookmarklets it's access to chrome urls. If the two are implemented differently, then perhaps the user scripts should be implemented more like bookmarklets. Just a thought, I don't know what's going on under the hood.

Good Luck on the patch. Losing the GM_ special functions for now is no big deal, most of the script I use do not need them, and those that do more than likely are suffering from feature bloat anyways :) Back to the basics of what GM was all about.

itub & jeremy dunck: I didn't know about all those scripts, thanks for pointing them out. Still, there was a reason for limiting the original XMLHttpRequest to a single domain, which this debacle with GM_XMLHttpRequest finely illustrates.

Fixing it to reject requests for local files will not be enough, I'm affraid, because it could also be used to make requests to hosts on the LAN (inside the firewall), which can contain potentially sensitive information, and there is no easy way to determine which hosts should be considered local.

The only true fix would be to make the GM_* functions completely inaccessible to any javascript code coming from the net.

Also, to clarify, the overreaction I was referring to consisted in removing ALL the GM_* functions from 0.3.5, when only removing GM_xmlhttprequest would have sufficed. The other GM APIs don't seem vulnerable. Or am I missing something?

I think any of the GM functions could be accessed by a website owner. So they could also potentially play with your greasemonkey settings using GM_setValue/_getValue.

Sure most scripts don't have anything sensitive in those areas, but it could be annonying if a malicious website owner set all our Greasemonkey script settings to something else. Or at least that's my understanding of it...

The sooner the fix the better... I'm getting tired of seeing such a sad little monkey face in my status bar... lol... all jokes aside thanks for being upfront with the problem rather than hiding behind it all. I'm not mentioning names or anything, *cough* IE *cough*.

Anything worth doing is worth doing wrong till you can get it right. Greasemonkey is like that. I've put a remander to check everyday till your next shot. Thanks for your hard work a I'll be here, waiting.

I would like to point out that corporate environments vendor choices suffer the same problems in the software development cycle as does Firefox. The key difference is, like in this case, there is the good ethics and morality present to do this kind of thing. I would much rather have bad news than to think everything is working while running a ticking time bomb... Thanks very much for doing the right thing and taking the high path.

Actually, as I said in a comment to another thread I would like people inside my company (IBM) to actually find it easier to wind up with Firefox installed with GreaseMonkey and selected scripts. That puts the onus, IMHO, on those selected scripts. Which isn't the same as having them install any old script they stumble across on the web.

So I do think it is suitable for a corporate environment - once the security issues are sorted out.

Is there a possibility to disable this annoying warning which pops up at every page when Greasemonkey is used? I disabeld all scripts but two for a site I feel sure with. So I don't want to see this warning on every page of this site.

It is truly ignorant to think this security flaw in GreaseMonkey reflects negatively on Firefox. Anyone can write an insecure plug-in for ANY browser. That does not mean you blame the browser for being insecure. So anyone that uses this flaw to say people should use IE instead are just plain ignorant, and should be ignored.

Anonymous#2-- why is one bashing and making a big deal about the Greasemonkey,Firefox and IE. Even so that IE may have many loopholes. it's a matter of choice of which ones to use. I of course perfer firefox over IE but when it comes to mac.. Even so I use Both Firefox and Safari.. There is bound to be one software to be new crazed or BEst there is then comes a hole or a problem then we kicked it to the curb. Example how many of us out there can really program these type of softwares? yet we kicking it to the curb? so dude the one that made this greasemonkey keep up the GREAT work with since I find those who are patient in learning how to wrote programs are the coolest gift one can have.

Karups Private CollectionKarups Private CollectionWelcome to the king of all grot sites. This site is the mutt's nuts! 1000's of great quality pictures of great quality ladies plus a awesome amount of extra content.. Information on Ariel collection karups and amateur karups pussy

Karups Weekly FreebiesKarups Private Collection (KarupsPC) is a verifiable behemoth. It makes me dizzy after a few pages, because there's just so many super beautiful women to browse through. They have the simplest and featureless members area of any adult site, and it works great somehow. The navigation is key here, as they have just so much content. Things are divided into 5 different (1-5) categories, and then further divided by headings like models, girl/girl, girl/guy, sex, babes, teen, amateur, asian, exotics, mature, more than 3, etc. Each of these has numerous gallery sections, usually ranging from 50 to more than 200 gallery sections! Each of these "volumes" has 9 different photo sets. All this adds up to a massive, high quality collection of over a million pictures.

About KARUPS PRIVATE COLLECTION: OVER 750,000 HI-RES PHOTOS & MOVIE FILES HOUSED INSIDE THE EXCLUSIVE AREA OF KARUPS PRIVATE COLLECTION THATS OVER 4000 HAND PICKED PRETTY MODELS TAKING THEIR CLOTHES OF & GETTING FUCKED BY MULTIPLE COCKS WHILE THEY ARE BEING FILMED & PHOTOGRAPHED. OVER 4000 NEW PICTURES ARE ADDED EACH & EVERY WEEK TO SUFFICE YOUR PORN NEEDS. OVER 15 CATEGORIES OF HIGH QUALITY PORN - NO MORE FUCKING AROUND - ITS EVERYTHING YOUR PENNY IS WORTH YOU'LL NEVER REGRET IT! CLICK HERE NOW TO TAKE THE KARUPS FREE TOUR & SEE OVER 1000 FREE TOUR PICTURES

Click on the pictures below to see sample galleries

About Members AreaKarups Private Collection is a HUGE MEGASITE. You can find anything in any category. The biggest categories are teens and amateurs.

You are free to download all the picture sets as zip files but its so packed with pictures that it will take you months to do so, especially because new picture sets are added on nearly a daily basis. The quality of the pictures is very high. Much higher than in the galleries above as these has been resized and compressed.

You will also find AVI and MPEG movies which also can be downloaded fast and in high quality.

Tons of other good stuff inclusive LIVE Shows where You chat with the models can be found. It's one BIG PORN paradise.

You simply can't ask for more than what You get and You will never need any other site. More details about members area can be found on the free tour.M About the FREE TourWhen You enter the free tour, you can choose from video or picture tours. When click picture tour you will see a lot of thumbnails below each category. Make sure to click those thumbnails. If You ex. click on the thumbnail below "Barely Legal" You will be able to see samples of hundred's of the teen models you will find inside. All in all there is more than 1000 models samples on the tour.

How to become member The price to become a member is only $29.95 for a month (or $69.95 for 3 months) and you will get access to all the good stuff in the members area. You can choose to pay by Credit Card (VISA, MASTERCARD) or online check. As Your privacy is important and if You pay by Credit Card or online check, you will be discreetly billed as "EENT, Inc." You can at any time cancel your membership.

Welcome to my presentation of Karup's Private Collection, one ofthe best premium site you can find on the net. Here you will find many gallerieswith movies and pics from this great site. When you checked out the galleries I recommend you to visit the site. You will not be disappointed, this site haveall you can wish.

500,000+ pics/100,000+ movies, with 100's of brand new pics added every week! 4,000 of the hottest models and amateurs on the net! EXCLUSIVE Hardcore, Softcore, Lesbian, Mature, Amateur, Models, Teen, Asian and Exotic Sections. Live Feeds with chat to the models, e-zines and searchable model index for your fave babe! All sets at Karup's Collection are also zipped, ready for your mass download of their content straight to your hard drive!